It may be desirable to enhance or update the functionality of devices after they are placed in the field for use. Consequently, there is a need to securely update software or firmware in “field upgradeable units” such that an attacker cannot modify the units with bogus information.
Existing systems protect against bogus modifications by signing software with cryptographic keys. For instance, a central office can issue an update to a field upgradeable unit along with a signature. The signature and a central office's private key can be used together to authenticate the update's validity and its source. When an update is issued, the field upgradeable unit authenticates the update using the public key. If the signature matches, the field upgradeable unit can install the update. If the update signature cannot be authenticated, the field upgradeable unit determines that the update is bogus and rejects it.
The authentication of the update relies on an assumption that the central office's private key is used to create a valid signature that can be authenticated with a copy of the public key at the field-upgradeable unit. While the public and private keys may be stored securely, it may be possible for an attacker to obtain the keys. For instance, given sufficient time and computing resources, the attacker may compromise the private key through a brute-force attack on the public key. The public key could be compromised through a ‘mole attack’, in which a person involved in the production of the field upgradeable unit steals the key. A physical attack may allow access to the public key by acquiring a field upgradeable unit and replacing the entire memory.
An attacker who possesses the central office private key can compromise an entire network. For instance, the attacker could use the private key to distribute a bogus update. Because the attacker's bogus update is signed and/or encrypted with valid keys, the field upgradeable unit decrypts and authenticates the bogus update using its public key. Doing so could enable the node's software or firmware to be updated with invalid and/or malicious software.
One solution to resist such attacks is to update the central office public key stored in each field unit periodically, thereby precluding the use of a compromised central office private key. That is, to resist the brute force attack the central office public key should be updated faster than the key could be derived by the attacker. To resist the mole attack, the central office public key could be updated before the attacker could use the compromised central office private key to replace a field unit's firmware.